Disconnecting from Network Shares with net.exe¶
Identifies attempts to remove network shares with the Windows built-in command net.exe
| id: | 7d328c61-8f63-4411-9ae7-e5b502a80e7e |
|---|---|
| categories: | enrich |
| confidence: | low |
| os: | windows |
| created: | 7/26/2019 |
| updated: | 7/26/2019 |
MITRE ATT&CK™ Mapping¶
| tactics: | Defense Evasion |
|---|---|
| techniques: | T1126 Network Share Connection Removal |
Query¶
process where subtype.create and
process_name == "net.exe" and command_line == "* /d*"